<?xmlversion="1.0" encoding="US-ASCII"?> <!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->version='1.0' encoding='utf-8'?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[<!-- One method to get references from the online citation libraries. There has to be one entity for each item to be referenced. An alternate method (rfc include) is described in the references. --><!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC) --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="4"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-sfc-nsh-integrity-09"ipr="trust200902">number="9145" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" consensus="true" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="Integrity Protection for the NSH">Integrity Protection for the Network Service Header (NSH) and Encryption of Sensitive Context Headers</title> <seriesInfo name="RFC" value="9145"/> <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair"> <organization>Orange</organization> <address> <postal><street></street><street/> <city>Rennes</city> <code>35000</code> <country>France</country> </postal> <email>mohamed.boucadair@orange.com</email> </address> </author> <author fullname="TirumaleswarReddy"Reddy.K" initials="T."surname="Reddy">surname="Reddy.K"> <organization>Akamai</organization> <address> <postal> <street>Embassy Golf Link Business Park</street> <city>Bangalore</city> <region>Karnataka</region> <code>560071</code> <country>India</country> </postal> <email>kondtir@gmail.com</email> </address> </author> <author fullname="Dan Wing" initials="D." surname="Wing"> <organization abbrev="Citrix">Citrix Systems, Inc.</organization> <address> <postal><street></street><street/> <country>USA</country> </postal> <email>dwing-ietf@fuggles.com</email> </address> </author> <date/>month="December" year="2021"/> <workgroup>SFC</workgroup> <keyword>Security</keyword> <keyword>Resilience</keyword> <keyword>Automation</keyword> <keyword>Service delivery</keyword> <keyword>Providers</keyword> <keyword>Differentiated services</keyword> <keyword>Traffic Engineering</keyword> <keyword>Attack mitigation</keyword> <abstract> <t>This specification presents an optional method to add integrity protection directly to the Network Service Header (NSH) used for Service Function Chaining (SFC). Also, this specification allows for the encryption of sensitive metadata (MD) that is carried in the NSH.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>Many advanced Service Functions (SFs) are enabled for the delivery of value-added services. Typically, SFs are used to meet various service objectives such as IP address sharing, avoiding covert channels, detecting Denial-of-Service (DoS) attacks and protecting network infrastructures against them, network slicing, etc. Because of the proliferation of such advanced SFs together with complex service deployment constraints that demand more agile service delivery procedures, operators need to rationalize their service delivery logic and control its complexity whileoptimisingoptimizing service activation time cycles. The overall problem space is described in <xreftarget="RFC7498"></xref>.</t>target="RFC7498" format="default"/>.</t> <t><xreftarget="RFC7665"></xref>target="RFC7665" format="default"/> presents a data plane architecture addressing the problematic aspects of existing service deployments, including topological dependence and configuration complexity. It also describes an architecture for the specification, creation, and maintenance of Service Function Chains (SFCs) within anetwork. Thatnetwork, that is, how to define an ordered set of SFs and ordering constraints that must be applied to packets/flows selected as a result of traffic classification. <xreftarget="RFC8300"></xref>target="RFC8300" format="default"/> specifies the SFC encapsulation: Network Service Header (NSH).</t> <t>The NSH data is unauthenticated and unencrypted, forcing a service topology that requires security and privacy to use a transport encapsulation that supports such features(Section 8.2 of <xref target="RFC8300"></xref>).</t>(<xref target="RFC8300" section="8.2" sectionFormat="of"/>).</t> <t>Note that some transport encapsulations (e.g., IPsec) only provide hop-by-hop security between two SFC data plane elements (e.g., two Service Function Forwarders (SFFs), SFF to SF) and do not provide SF-to-SF security of NSH metadata. For example, if IPsec is used, SFFs or SFs within a Service Function Path (SFP) that are not authorized to access the sensitive metadata (e.g., privacy-sensitive information) will have access to the metadata. As a reminder, the metadata referred to is information that is inserted by Classifiers or intermediate SFs and shared with downstream SFs; such information is not visible to the communication endpoints(Section 4.9 of <xref target="RFC7665"></xref>).</t>(<xref target="RFC7665" section="4.9" sectionFormat="of"/>).</t> <t>The lack of such capability was reported during the development of <xreftarget="RFC8300"></xref>target="RFC8300" format="default"/> and <xreftarget="RFC8459"></xref>.target="RFC8459" format="default"/>. The reader may refer toSection 3.2.1 of<xreftarget="I-D.arkko-farrell-arch-model-t"></xref>target="I-D.arkko-farrell-arch-model-t" section="3.2.1" sectionFormat="of"/> for a discussion on the need for more awareness about attacks from within closed domains.</t> <t>This specification fills that gap for SFC (that is, it defines the "NSH Variable Header-Based Integrity" option mentioned inSection 8.2.1 of<xreftarget="RFC8300"></xref>).target="RFC8300" section="8.2.1" sectionFormat="of"/>). Concretely, this document adds integrity protection and optional encryption of sensitive metadata directly to the NSH (<xreftarget="overview"></xref>).target="overview" format="default"/>). The integrity protection covers the packet payload and provides replay protection (<xreftarget="time"></xref>).target="time" format="default"/>). Thus, the NSH does not have to rely upon an underlying transport encapsulation for security.</t> <t>This specification introduces new Variable-Length Context Headers to carry fields necessary for integrity-protected NSH headers and encrypted Context Headers (<xreftarget="new"></xref>).target="new" format="default"/>). This specification is only applicable to NSH MD Type 0x02(Section 2.5 of <xref target="RFC8300"></xref>).(<xref target="RFC8300" section="2.5" sectionFormat="of"/>). MTU considerations are discussed in <xreftarget="MTU"></xref>.target="MTU" format="default"/>. This specification is not applicable to NSH MD Type 0x01(Section 2.4 of <xref target="RFC8300"></xref>)(<xref target="RFC8300" section="2.4" sectionFormat="of"/>) because that MD Type only allows a Fixed-Length Context Header whose size is16-bytes;16 bytes; that is not sufficient to accommodate both the metadata and message integrity of the NSH data.</t> <t>This specification limits access to NSH-supplied information along an SFP to entities that have a need to interpret it.</t> <t>The mechanism specified in this document does not preclude the use of transport security. Such considerations aredeployment-specific.</t>deployment specific.</t> <t>It is out of the scope of this document to specify an NSH-aware control plane solution.</t> </section> <section anchor="notation"title="Terminology">numbered="true" toc="default"> <name>Terminology</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref>target="RFC2119" format="default"/> <xreftarget="RFC8174"></xref>target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here.</t> <t>This document makes use of the terms defined in <xreftarget="RFC7665"></xref>target="RFC7665" format="default"/> and <xreftarget="RFC8300"></xref>.target="RFC8300" format="default"/>. The term "transport encapsulation" used in this document refers to the outer encapsulation (e.g., Generic Routing Encapsulation (GRE), IPsec, and Generic Protocol Extension forVXLANVirtual eXtensible Local Area Network (VXLAN-GPE)) that is used to carry NSH-encapsulated packets as perSection 4 of<xreftarget="RFC8300"></xref>.</t>target="RFC8300" section="4" sectionFormat="of"/>.</t> <t>The document defines the followingterms:<list style="hanging"> <t hangText="SFCterms:</t> <dl newline="false" spacing="normal"> <dt>SFC data planeelement:">Referselement:</dt> <dd>Refers to NSH-aware SF, SFF, the SFC Proxy, or the Classifier as defined in the SFC data plane architecture <xreftarget="RFC7665"></xref>target="RFC7665" format="default"/> and further refined in <xreftarget="RFC8300"></xref>.</t> <t hangText="SFCtarget="RFC8300" format="default"/>.</dd> <dt>SFC controlelement:">Iselement:</dt> <dd>Is a logical entity that instructs one or more SFC data plane elements on how to process NSH packets within an SFC-enableddomain.</t> <t hangText="Key Identifier:">Isdomain.</dd> <dt>Key Identifier:</dt> <dd>Is used to identify keys to authorized entities. See, for example,'kid'"kid" usage in <xreftarget="RFC7635"></xref>.</t> <t hangText="NSH data:">Thetarget="RFC7635" format="default"/>.</dd> <dt>NSH data:</dt> <dd>The NSH is composed of a Base Header, a Service Path Header, and optional Context Headers. NSH data refers to all the above headers and the packet or frame on which the NSH is imposed to realize anSFP.</t> <t hangText="NSH imposer:">RefersSFP.</dd> <dt>NSH imposer:</dt> <dd>Refers to an SFC data plane element that is entitled to impose the NSH with the Context Headers defined in thisdocument.</t> </list></t>document.</dd> </dl> </section> <section anchor="req"title="Assumptionsnumbered="true" toc="default"> <name>Assumptions and BasicRequirements"> <t>Section 2 of <xref target="RFC8300"></xref>Requirements</name> <t><xref target="RFC8300" section="2" sectionFormat="of"/> specifies that the NSH data can be spread over threeheaders:<list style="symbols"> <t>Baseheaders:</t> <dl> <dt>Base Header:Provides</dt> <dd>Provides information about the service header and the payloadprotocol.</t> <t>Serviceprotocol. </dd> <dt>Service Path Header:Provides</dt> <dd>Provides path identification and location within anSFP.</t> <t>ContextSFP. </dd> <dt>Context Header(s):Carries</dt> <dd>Carries metadata (i.e., context data) along a servicepath.</t> </list></t>path. </dd> </dl> <t>The NSH allows sharing context information(a.k.a.,(a.k.a. metadata) with downstream NSH-aware data plane elements on aper SFC/SFPper-SFC/SFP basis. To thataim:<list style="empty"> <t>Theaim:</t> <ul spacing="normal"> <li>The Classifier is instructed by an SFC control element about the set of context information to be supplied for a given service functionchain.</t> <t>Anchain.</li> <li>An NSH-aware SF is instructed by an SFC control element about any metadata it needs to attach to packets for a given service function chain. This instruction may occur any time during the validity lifetime of an SFC/SFP. For a given service function chain, the NSH-aware SF is also provided with an order for consuming a set of contexts supplied in apacket.</t> <t>Anpacket.</li> <li>An NSH-aware SF can also be instructed by an SFC control element about the behavior it should adopt after consuming context information that was supplied in the NSH. For example, the context information can be maintained, updated, orstripped.</t> <t>Anstripped.</li> <li>An SFC Proxy may be instructed by an SFC control element about the behavior it should adopt to process the context information that was supplied in the NSH on behalf of an NSH-unaware SF (e.g., the context information can be maintained or stripped). The SFC Proxy may also be instructed to add some new context information into the NSH on behalf of an NSH-unawareSF.</t> </list></t>SF.</li> </ul> <t>In reference toTable 1, <list style="symbols"> <t>Classifiers,<xref target="NSH"/>:</t> <ul spacing="normal"> <li>Classifiers, NSH-aware SFs, and SFC proxies are entitled to update the ContextHeader(s).</t> <t>OnlyHeader(s).</li> <li>Only NSH-aware SFs and SFC proxies are entitled to update the Service PathHeader.</t> <t>SFFsHeader.</li> <li>SFFs are entitled to modify the Base Header (TTL value, for example). Nevertheless, SFFs are not supposed to act on the Context Headers or look into the content of the Context Headers(Section 4.3 of <xref target="RFC7665"></xref>).</t> </list></t>(<xref target="RFC7665" section="4.3" sectionFormat="of"/>).</li> </ul> <t>Thus, the followingrequirements:<list style="symbols"> <t>Onlyrequirements:</t> <ul spacing="normal"> <li>Only Classifiers, NSH-aware SFs, and SFC proxies must be able to encrypt and decrypt a given ContextHeader.</t> <t>BothHeader.</li> <li>Both encrypted and unencrypted Context Headers may be included in the sameNSH.</t> <t>TheNSH.</li> <li>The solution must provide integrity protection for the Service PathHeader.</t> <t>TheHeader.</li> <li>The solution must provide optional integrity protection for the Base Header. The implications of disabling such checks are discussed in <xreftarget="mac1"></xref>.</t> </list></t> <t><figure align="center"> <artwork align="center"><![CDATA[+----------------+-----------------------------+-------------------+ | | Insert,target="mac1" format="default"/>.</li> </ul> <table anchor="NSH"> <name>Summary of NSH Actions</name> <thead> <tr> <th rowspan="2" colspan="1" align="center">SFC Data Plane Element</th> <th colspan="3" align="center">Insert, remove, or replace| Update the NSH | | |theNSH | | | | | | | SFC Data Plane +---------+---------+---------+---------+---------+ | Element | | | |Decrement| Update | | | Insert | Remove | Replace |NSH</th> <th colspan="2" align="center">Update the NSH</th> </tr> <tr > <th align="center">Insert</th> <th align="center">Remove</th> <th align="center">Replace</th> <th align="center">Decrement Service| Context | | | | | | Index |Header(s)| +================+=========+=========+=========+=========+=========+ | | + | | + | | + | | Classifier | | | | | | +----------------+---------+---------+---------+---------+---------+ |Service Function| | + | | | | |Forwarder (SFF) | | | | | | +----------------+---------+---------+---------+---------+---------+ |Service Function| | | | + | + | | (SF) | | | | | | +----------------+---------+---------+---------+---------+---------+ | | + | + | | + | + | | SFC Proxy | | | | | | +----------------+---------+---------+---------+---------+---------+ Table 1: Summary of NSH Actions]]></artwork> </figure></t> <t></t>Index</th> <th align="center">Update Context Header(s)</th> </tr> </thead> <tbody> <tr> <td>Classifier</td> <td align="center">+</td> <td></td> <td align="center">+</td> <td></td> <td align="center">+</td> </tr> <tr> <td>Service Function Forwarder (SFF)</td> <td></td> <td align="center">+</td> <td></td> <td></td> <td></td> </tr> <tr> <td>Service Function (SF)</td> <td></td> <td></td> <td></td> <td align="center">+</td> <td align="center">+</td> </tr> <tr> <td>Service Function Chaining (SFC) Proxy</td> <td align="center">+</td> <td align="center">+</td> <td></td> <td align="center">+</td> <td align="center">+</td> </tr> </tbody> </table> </section> <section anchor="overview"title="Design Overview"> <t></t>numbered="true" toc="default"> <name>Design Overview</name> <sectiontitle="Supportednumbered="true" toc="default"> <name>Supported SecurityServices">Services</name> <t>This specification provides the functions described in the following subsections.</t> <sectiontitle="Encryptnumbered="true" toc="default"> <name>Encrypt All or a Subset of ContextHeaders">Headers</name> <t>The solution allows encrypting all or a subset of NSH Context Headers by Classifiers, NSH-aware SFs, and SFC proxies.</t> <t>As depicted inTable 2,<xref target="encryption"/>, SFFs are not involved in data encryption.</t><t><figure> <artwork><![CDATA[ +-----------------+------------------------------+------------------+ |<table anchor="encryption"> <name>Encryption Function Supported by SFC Data Plane|Elements</name> <thead> <tr> <th> Data Plane Element</th> <th> Base and Service Path| Context Header | | Element |HeadersEncryption | Encryption | +-----------------+------------------------------+------------------+ | Classifier | No | Yes | | SFF | No | No | |Encryption</th> <th>Context Header Encryption</th> </tr> </thead> <tbody> <tr> <td>Classifier</td> <td>No</td><td>Yes</td> </tr><tr> <td>SFF</td> <td>No</td> <td>No</td> </tr><tr> <td> NSH-awareSF | No | Yes | | SFC Proxy | No | Yes | | NSH-unaware SF | No |SF</td> <td>No</td> <td>Yes</td> </tr><tr> <td>SFC Proxy</td> <td> No| +-----------------+------------------------------+------------------+ Table 2: Encryption Function Supported by SFC Data Plane Elements]]></artwork> </figure></t></td><td>Yes</td> </tr><tr> <td>NSH-unaware SF</td> <td>No</td> <td>No</td> </tr> </tbody> </table> <t>Classifier(s), NSH-aware SFs, and SFC proxies are instructed with the set of Context Headers (privacy-sensitive metadata, typically) that must be encrypted. Encryption keying material is only provided to these SFC data plane elements.</t> <t>The control plane may indicate the set of SFC data plane elements that are entitled to supply a given Context Header (e.g., in reference to their identifiers as assigned within the SFC-enabled domain). It is out of the scope of this document to elaborate on how such instructions are provided to the appropriate SFC data planeelements,elements nor to detail the structure used to store the instructions.</t> <t>The Service Path Header(Section 2 of <xref target="RFC8300"></xref>)(<xref target="RFC8300" section="2" sectionFormat="of"/>) is not encrypted because SFFs use the Service Index (SI) in conjunction with the Service Path Identifier (SPI) for determining the next SF in the path.</t> </section> <sectiontitle="Integrity Protection">numbered="true" toc="default"> <name>Integrity Protection</name> <t>The solution provides integrity protection for the NSH data. Two levels of assurance (LoAs) are supported.</t> <t>The first level of assurance is where all NSH data except the Base Header are integrity protected (<xreftarget="first"></xref>).target="first" format="default"/>). In this case, the NSH imposer may be a Classifier, an NSH-aware SF, or an SFC Proxy. SFFs are not provided with authentication material. Further details are discussed in <xreftarget="enc1"></xref>.<figure align="center" anchor="first" title="Firsttarget="enc1" format="default"/>.</t> <figure anchor="first"> <name>First Level ofAssurance">Assurance</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transport Encapsulation | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | Base Header | | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N | | Service Path Header | S | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H | | Context Header(s) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Original Packet | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +------Scope ofintegrity protectedintegrity-protected data ]]></artwork></figure></t></figure> <t>The second level of assurance is where all NSH data, including the Base Header, are integrity protected (<xreftarget="sec"></xref>).target="sec" format="default"/>). In this case, the NSH imposer may be a Classifier, an NSH-aware SF, an SFF, or an SFC Proxy. Further details are provided in <xreftarget="enc2"></xref>.</t> <t><figure align="center" anchor="sec" title="Secondtarget="enc2" format="default"/>.</t> <figure anchor="sec"> <name>Second Level ofAssurance">Assurance</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transport Encapsulation | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Base Header | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ N | | Service Path Header | S | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ H | | Context Header(s) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... | | Original Packet | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +----Scope ofintegrity protectedintegrity-protected data ]]></artwork></figure></t></figure> <t>Theintegrity protectionintegrity-protection scope is explicitly signaled to NSH-aware SFs, SFFs, and SFC proxies in the NSH by means of a dedicated MD Type (<xreftarget="new"></xref>).</t>target="new" format="default"/>).</t> <t>In both levels of assurance, the Context Headers and the packet on which the NSH is imposed are subject to integrity protection.</t><t>Table 3<t><xref target="integrity"/> classifies the data plane elements as being involved or not involved in providing integrity protection for theNSH or not.</t> <t><figure> <artwork><![CDATA[ +--------------------+----------------------------------+ |NSH.</t> <table anchor="integrity"> <name>Integrity Protection Supported by SFC Data PlaneElement | Integrity Protection | +--------------------+----------------------------------+ | Classifier | Yes | | SFF |Elements</name> <thead> <tr> <th>Data Plane Element</th> <th>Integrity Protection</th> </tr> </thead> <tbody> <tr> <td> Classifier</td> <td> Yes</td> </tr><tr> <td> SFF</td> <td> No (first LoA); Yes (secondLoA) | |LoA)</td> </tr><tr> <td> NSH-awareSF | Yes | | SFC Proxy | Yes | |SF</td> <td>Yes</td> </tr><tr> <td> SFC Proxy</td> <td>Yes</td> </tr><tr> <td> NSH-unawareSF | No | +--------------------+----------------------------------+ Table 3: Integrity Protection Supported by SFC Data Plane Elements]]></artwork> </figure></t>SF</td> <td> No</td> </tr> </tbody> </table> </section> </section> <sectiontitle="Onenumbered="true" toc="default"> <name>One Secret Key, Two SecurityServices">Services</name> <t>The Authenticated Encryption with Associated Data (AEAD) interface defined inSection 5 of<xreftarget="RFC5116"></xref>target="RFC5116" section="5" sectionFormat="of"/> is used to encrypt the Context Headers that carry sensitive metadata and to provide integrity protection for the encrypted Context Headers.</t> <t>The secondary keysMAC_KEY"MAC_KEY" andENC_KEY"ENC_KEY" are generated from the input secret key (K) as follows; each of these two keys is an octetstring:<list style="hanging"> <t hangText="MAC_KEY:">consistsstring:</t> <dl newline="false" spacing="normal"> <dt>MAC_KEY:</dt> <dd>Consists of the initial MAC_KEY_LEN octets of K, in order. The MAC_KEY is used for calculating the message integrity of the NSH data. In other words, the integrity protection provided by the cryptographic mechanism is extended to also provide protection for the unencrypted Context Headers and the packet on which the NSH isimposed.</t> <t hangText="ENC_KEY:">consistsimposed.</dd> <dt>ENC_KEY:</dt> <dd>Consists of the final ENC_KEY_LEN octets of K, in order. The ENC_KEY is used as the symmetric encryption key for encrypting the ContextHeaders.</t> </list></t>Headers.</dd> </dl> <t>The Hashed Message AuthenticationModeCode (HMAC) algorithm discussed in <xreftarget="RFC4868"></xref>target="RFC4868" format="default"/> is used to protect the integrity of the NSH data. The algorithm for implementing and validating HMACs is provided in <xreftarget="RFC2104"></xref>.</t>target="RFC2104" format="default"/>.</t> <t>The advantage of using both AEAD and HMAC algorithms (instead of just AEAD) is that NSH-aware SFs and SFC proxies only need tore-computerecompute the message integrity of the NSH data after decrementing theService Index (SI)SI and do not have tore-computerecompute the ciphertext. The other advantage is that SFFs do not have access to the ENC_KEY and cannot act on the encrypted ContextHeadersHeaders, and (in the case of the second level of assurance) SFFs do have access to the MAC_KEY. Similarly, an NSH-aware SF or SFC Proxy not allowed to decrypt the Context Headers will not have access to the ENC_KEY.</t> <t>The authenticated encryption algorithm or HMAC algorithm to be used by SFC data plane elements is typically controlled using the SFC control plane.Mandatory to implementMandatory-to-implement authenticated encryption and HMAC algorithms are listed in <xreftarget="mti"></xref>.</t>target="mti" format="default"/>.</t> <t>The authenticated encryption process takes four inputs, each of which is an octet string: a secret key (ENC_KEY, referred to asK"K" in <xreftarget="RFC5116"></xref>),target="RFC5116" format="default"/>), a plaintext (P), associated data (A) (which contains the data to beauthenticated,authenticated but not encrypted), and a nonce (N). A ciphertext (C) is generated as an output as discussed inSection 2.1 of<xreftarget="RFC5116"></xref>.</t>target="RFC5116" section="2.1" sectionFormat="of"/>.</t> <t>In order to decrypt and verify, the cipher takesas inputENC_KEY, N, A, andC.C as input. The output is either the plaintext or an error indicating that the decryption failed as described inSection 2.2 of<xreftarget="RFC5116"></xref>.</t>target="RFC5116" section="2.2" sectionFormat="of"/>.</t> </section> <section anchor="mti"title="Mandatory-to-Implementnumbered="true" toc="default"> <name>Mandatory-to-Implement Authenticated Encryption and HMACAlgorithms">Algorithms</name> <t>Classifiers, NSH-aware SFs, and SFC proxiesMUST<bcp14>MUST</bcp14> implement the AES_128_GCM <xreftarget="GCM"></xref><xref target="RFC5116"></xref>target="GCM" format="default"/><xref target="RFC5116" format="default"/> algorithm andSHOULD<bcp14>SHOULD</bcp14> implement the AES_192_GCM and AES_256_GCM algorithms.</t> <t>Classifiers, NSH-aware SFs, and SFC proxiesMUST<bcp14>MUST</bcp14> implement the HMAC- SHA-256-128 algorithm andSHOULD<bcp14>SHOULD</bcp14> implement the HMAC-SHA-384-192 and HMAC-SHA-512-256 algorithms.</t> <t>SFFsMAY<bcp14>MAY</bcp14> implement the aforementioned cipher suites and HMACalgorithms.</t> <t><list style="hanging">algorithms. </t> <thangText="Note:">Theindent="3"> Note: The use of the AES_128_CBC_HMAC_SHA_256 algorithm would have avoided the need for a second 128-bit authentication tag, but due to the nature of how Cipher Block Chaining (CBC) mode operates, AES_128_CBC_HMAC_SHA_256 allows for the malleability of plaintexts. This malleability allows for attackers that know theMACMessage Authentication Code (MAC) key but not the encryption key to make changes in the ciphertext and, if parts of the plaintext are known, create arbitrary blocks of plaintext. This specification mandates the use of separate AEAD and MAC protections to prevent this type ofattack.</t> </list></t>attack. </t> </section> <section anchor="kms"title="Key Management">numbered="true" toc="default"> <name>Key Management</name> <t>The procedure for the allocation/provisioning of secret keys (K) and the authenticated encryption algorithm or MAC_KEY and HMAC algorithm is outside the scope of this specification. As such, this specification does not mandate the support of any specific mechanism.</t> <t>The document does not assume nor preclude thefollowing:<list style="symbols"> <t>Thefollowing:</t> <ul spacing="normal"> <li>The same keying material is used for all the service functions used within an SFC-enableddomain.</t> <t>Distinctdomain.</li> <li>Distinct keying material is used per SFP by all involved SFC data pathelements.</t> <t>Per-tenantelements.</li> <li>Per-tenant keys areused.</t> </list></t>used.</li> </ul> <t>In order to accommodate deployments relying upon keying material per SFC/SFP and also the need to update keys after encrypting NSH data for a certain amount of time, this document uses key identifiers to unambiguously identify the appropriate keying material and associated algorithms for MAC and encryption. This use of in-band identifiers addresses the problem of the synchronization of keying material.</t> <t>Additional information on manual vs. automated key management and when one should be used over the other can be found in <xreftarget="RFC4107"></xref>.</t>target="RFC4107" format="default"/>.</t> <t>The risk involved in using a group-shared symmetric key increases with the size of the group to which it is shared. Additional security issues are discussed in <xreftarget="Security"></xref>.</t>target="Security" format="default"/>.</t> </section> <section anchor="newch"title="Newnumbered="true" toc="default"> <name>New NSH Variable-Length ContextHeaders">Headers</name> <t>New NSH Variable-Length Context Headers are defined in <xreftarget="new"></xref>target="new" format="default"/> for NSH data integrity protection and, optionally, encryption of Context Headers carrying sensitive metadata. Concretely, an NSH imposer includes (1) the key identifier to identify the keying material, (2) the timestamp to protect against replay attacks (<xreftarget="time"></xref>),target="time" format="default"/>), and (3)the Message Authentication Code (MAC)MAC for the target NSH data (depending on theintegrity protectionintegrity-protection scope) calculated usingtheMAC_KEYand optionallyand, optionally, Context Headers encrypted using ENC_KEY.</t> <t>An SFC data plane element that needs to check the integrity of the NSH data uses the MAC_KEY andtheHMAC algorithm for the key identifier being carried in the NSH.</t> <t>An NSH-aware SF or SFC Proxy that needs to decrypt some Context Headers uses ENC_KEY and the decryption algorithm for the key identifier being carried in the NSH.</t> <t><xreftarget="prorules"></xref>target="prorules" format="default"/> specifies the detailed procedure.</t> </section> <section anchor="nsh-in-nsh"title="Encapsulationnumbered="true" toc="default"> <name>Encapsulation of NSH withinNSH">NSH</name> <t>As discussed inSection 3 of<xreftarget="RFC8459"></xref>,target="RFC8459" section="3" sectionFormat="of"/>, an SFC-enabled domain(called,(called an upper-level domain) may be decomposed into many sub-domains(called,(called lower-level domains). In order to avoid maintaining state to restorebackupper-level NSH information at the boundaries of lower-level domains, two NSH levels are used: an Upper-NSHwhichthat is imposed at the boundaries of the upper-level domain and a Lower-NSH that is pushed by the Classifier of a lower-level domain in front of the original NSH (<xreftarget="nest"></xref>).target="nest" format="default"/>). As such, the Upper-NSH information is carried along the lower-level chain without modification. The packet is forwarded in the top-level domain according to the Upper-NSH, while it is forwarded according to the Lower-NSH in a lower-level domain.</t><t><figure align="center" anchor="nest" title="Encapsulation<figure anchor="nest"> <name>Encapsulation of NSH withinNSH">NSH</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ +---------------------------------+ | Transport Encapsulation | +->+---------------------------------+ | | Lower-NSH Header | | +---------------------------------+ | | Upper-NSH Header | | +---------------------------------+ | | Original Packet | +->+---------------------------------+ | | +----Scope of NSH security protection provided by a lower-level domain ]]></artwork></figure></t></figure> <t>SFC data plane elements of a lower-level domain include the Upper-NSH when computing the MAC.</t> <t>Keying material used at the upper-level domainSHOULD NOT<bcp14>SHOULD NOT</bcp14> be the same as the one used by a lower-level domain.</t> </section> </section> <section anchor="new"title="Newnumbered="true" toc="default"> <name>New NSH Variable-Length ContextHeaders">Headers</name> <t>This section specifies the format of new Variable-Length ContextheadersHeaders that are used for NSH integrity protection and, optionally, ContextHeadersHeader encryption.</t> <t>In particular, this section defines two "MAC and Encrypted Metadata" ContextHeaders;Headers, each having specific deployment constraints. Unlike <xreftarget="enc1"></xref>,target="enc1" format="default"/>, the level of assurance provided in <xreftarget="enc2"></xref>target="enc2" format="default"/> requires sharing MAC_KEY with SFFs. Both ContextheadersHeaders have the same format as shown in <xreftarget="mac"></xref>.</t> <t><figure align="center" anchor="mac" title="MACtarget="mac" format="default"/>.</t> <figure anchor="mac"> <name>MAC and Encrypted Metadata ContextHeader">Header</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Metadata Class | Type |U| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Id Len | Key Identifier (Variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Timestamp (8 bytes) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce Length | Nonce (Variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Authentication Code and optional Encrypted | ~ Context Headers (Variable) ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork></figure></t></figure> <t>The "MAC and Encrypted Metadata" Context Headers are padded out to a multiple of 4 bytes as perSection 2.2 of<xreftarget="RFC8300"></xref>.target="RFC8300" section="2.2" sectionFormat="of"/>. The "MAC and Encrypted Metadata" Context Header, if included,MUST<bcp14>MUST</bcp14> always be the last Context Header.</t> <section anchor="enc1"title="MAC#1numbered="true" toc="default"> <name>MAC#1 ContextHeader"> <t>MAC#1Header</name> <t>The MAC#1 Context Header is avariable-lengthVariable-Length Context Header that carriesthe Message Authentication Code (MAC)MAC for the Service Path Header, Context Headers, and the inner packet on which NSH is imposed, calculated usingMAC_KEY, and optionallyMAC_KEY and, optionally, Context Headers encrypted using ENC_KEY. The scope of the integrity protection provided by this Context Header is depicted in <xreftarget="scope1"></xref>.</t>target="scope1" format="default"/>.</t> <t>This MAC scheme does not require sharing MAC_KEY with SFFs. It does not requireto re-computerecomputing the MAC by each SFF because of TTL processing. <xreftarget="mac1"></xref>target="mac1" format="default"/> discusses the possible threat associated with this level of assurance.</t> <figurealign="center" anchor="scope1" title="Scopeanchor="scope1"> <name>Scope ofMAC#1">MAC#1</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<--+ | Service Path Identifier | Service Index | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ Variable-Length Unencrypted Context Headers (opt.) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Metadata Class | Type |U| Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Key Id Len | Key Identifier (Variable) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ Timestamp (8 bytes) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce Length | Nonce (Variable) ~ | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Context Headers (opt.) ~ | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Message Authentication Code ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | | ~ Inner Packet on which NSH is imposed ~ | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<--| | | |Integrity ProtectionIntegrity-Protection Scope ----+ +----Encrypted Data ]]></artwork> </figure><t></t><t>In reference to <xreftarget="mac"></xref>,target="mac" format="default"/>, the description of the fields is asfollows:<list style="hanging"> <t hangText="Metadata Class:">MUSTfollows:</t> <dl newline="false" spacing="normal" indent="12"> <dt>Metadata Class:</dt> <dd><bcp14>MUST</bcp14> be set to 0x0(Section 2.5.1 of <xref target="RFC8300"></xref>).</t> <t hangText="Type:">TBD1 (See(<xref target="RFC8300" section="2.2" sectionFormat="of"/>).</dd> <dt>Type:</dt> <dd>0x02 (see <xreftarget="IANA"></xref>)</t> <t hangText="U:">Unassignedtarget="IANA" format="default"/>).</dd> <dt>U:</dt> <dd>Unassigned bit(Section 2.5.1 of <xref target="RFC8300"></xref>).</t> <t hangText="Length:">Indicates(<xref target="RFC8300" section="2.5.1" sectionFormat="of"/>).</dd> <dt>Length:</dt> <dd>Indicates the length of the variable-lengthmetadata,metadata in bytes. Padding considerations are discussed inSection 2.5.1 of<xreftarget="RFC8300"></xref>.</t> <t hangText="Keytarget="RFC8300" section="2.5.1" sectionFormat="of"/>.</dd> <dt>Key IdLen:">Variable.Len:</dt> <dd>Variable. Carries the length of the keyidentifier,identifier inoctets.</t> <t hangText="Key Identifier:">Carriesoctets.</dd> <dt>Key Identifier:</dt> <dd>Carries a variable-length Key Identifier object used to identify and deliver keys to SFC data plane elements. This identifier is helpfulto accommodatefor accommodating deployments relying upon keying material per SFC/SFP. The key identifier helpsin resolvingto resolve the problem of synchronization of keying material. A single key identifier is used tolookuplook up both the ENC_KEY and the MAC_KEY associated with a key, and the corresponding encryption and MAC algorithms used with thosekeys.</t> <t hangText="Timestamp:">Referkeys.</dd> <dt>Timestamp:</dt> <dd>Refer to <xreftarget="timef"></xref>target="timef" format="default"/> for more details about the structure of thisfield.</t> <t hangText="Nonce Length:">Carriesfield.</dd> <dt>Nonce Length:</dt> <dd>Carries the length of the Nonce. If the Context Headers are only integrity protected, "Nonce Length" is set to zero (that is, no "Nonce" isincluded).</t> <t hangText="Nonce:">Carriesincluded).</dd> <dt>Nonce:</dt> <dd>Carries the Nonce for the authenticated encryption operation(Section 3.1 of <xref target="RFC5116"></xref>).</t> <t hangText="Encrypted(<xref target="RFC5116" section="3.1" sectionFormat="of"/>).</dd> <dt>Encrypted ContextHeaders:">CarriesHeaders:</dt> <dd>Carries the optional encrypted ContextHeaders.</t> <t hangText="MessageHeaders.</dd> <dt>Message Authentication Code:">Covers</dt> <dd>Covers the entire NSH data, excluding the Baseheader.</t> </list></t>Header.</dd> </dl> </section> <section anchor="enc2"title="MAC#2numbered="true" toc="default"> <name>MAC#2 ContextHeader"> <t>MAC#2Header</name> <t>The MAC#2 Context Header is avariable-lengthVariable-Length Context Header that carries the MAC for the entire NSH data calculated using MAC_KEYand optionallyand, optionally, Context Headers encrypted using ENC_KEY. The scope of the integrity protection provided by this Context Header is depicted in <xreftarget="scope2"></xref>.</t>target="scope2" format="default"/>.</t> <figurealign="center" anchor="scope2" title="Scopeanchor="scope2"> <name>Scope ofMAC#2">MAC#2</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<--+ |Ver|O|U| TTL | Length |U|U|U|U|MD Type| Next Protocol | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Service Path Identifier | Service Index | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ Variable-Length Unencrypted Context Headers (opt.) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Metadata Class | Type |U| Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Key Id Len | Key Identifier (Variable) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ Timestamp (8 bytes) ~ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce Length | Nonce (Variable) ~ | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Context Headers (opt.) ~ | +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Message Authentication Code ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | | ~ Inner Packet on which NSH is imposed ~ | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<--| | | |Integrity ProtectionIntegrity-Protection Scope ----+ +----Encrypted Data ]]></artwork> </figure><t></t><t>In reference to <xreftarget="mac"></xref>,target="mac" format="default"/>, the description of the fields is asfollows:<list style="hanging"> <t hangText="Metadata Class:">MUSTfollows:</t> <dl newline="false" spacing="normal" indent="12"> <dt>Metadata Class:</dt> <dd><bcp14>MUST</bcp14> be set to 0x0(Section 2.5.1 of <xref target="RFC8300"></xref>).</t> <t hangText="Type:">TBD2 (See(<xref target="RFC8300" section="2.2" sectionFormat="of"/>).</dd> <dt>Type:</dt> <dd>0x03 (see <xreftarget="IANA"></xref>)</t> <t hangText="U:">Unassignedtarget="IANA" format="default"/>).</dd> <dt>U:</dt> <dd>Unassigned bit(Section 2.5.1 of <xref target="RFC8300"></xref>).</t> <t hangText="Length:">Indicates(<xref target="RFC8300" section="2.5.1" sectionFormat="of"/>).</dd> <dt>Length:</dt> <dd>Indicates the length of the variable-lengthmetadata,metadata in bytes. Padding considerations are discussed inSection 2.5.1 of<xreftarget="RFC8300"></xref>.</t> <t hangText="Keytarget="RFC8300" section="2.5.1" sectionFormat="of"/>.</dd> <dt>Key IdLen:">See <xref target="enc1"></xref>.</t> <t hangText="Key Identifier:">See <xref target="enc1"></xref>.</t> <t hangText="Timestamp:">See <xref target="timef"></xref>.</t> <t hangText="Nonce Length:">SeeLen:</dt> <dd>See <xreftarget="enc1"></xref>.</t> <t hangText="Nonce:">See <xref target="enc1"></xref>.</t> <t hangText="Encryptedtarget="enc1" format="default"/>.</dd> <dt>Key Identifier:</dt> <dd>See <xref target="enc1" format="default"/>.</dd> <dt>Timestamp:</dt> <dd>See <xref target="timef" format="default"/>.</dd> <dt>Nonce Length:</dt> <dd>See <xref target="enc1" format="default"/>.</dd> <dt>Nonce:</dt> <dd>See <xref target="enc1" format="default"/>.</dd> <dt>Encrypted ContextHeaders:">CarriesHeaders:</dt> <dd>Carries the optional encrypted ContextHeaders.</t> <t hangText="MessageHeaders.</dd> <dt>Message AuthenticationCode:">CoversCode:</dt> <dd>Covers the entire NSHdata.</t> </list></t>data.</dd> </dl> </section> </section> <section anchor="timef"title="Timestamp Format">numbered="true" toc="default"> <name>Timestamp Format</name> <t>This section follows the template provided inSection 3 of<xreftarget="RFC8877"></xref>.</t>target="RFC8877" section="3" sectionFormat="of"/>.</t> <t>The format of the Timestamp field introduced in <xreftarget="new"></xref>target="new" format="default"/> is depicted in <xreftarget="tf"></xref>.</t> <t><figure anchor="tf" title="Timestamptarget="tf" format="default"/>.</t> <figure anchor="tf"> <name>Timestamp FieldFormat">Format</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fraction | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork></figure>Timestamp</figure> <dl spacing="normal" newline="true"> <dt>Timestamp fieldformat:<list style="empty"> <t>Seconds: specifiesformat:</dt> <dd> <dl> <dt>Seconds:</dt><dd>Specifies the integer portion of the number of seconds since theepoch.</t> <t>+ Size:epoch.</dd> <dt>+ Size:</dt><dd> 32bits.</t> <t>+ Units: seconds.</t> <t>Fraction: specifiesbits</dd> <dt>+ Units:</dt><dd> Seconds</dd> <dt>Fraction:</dt><dd> Specifies the fractional portion of the number of seconds since theepoch.</t> <t>+ Size:epoch.</dd> <dt>+ Size:</dt><dd> 32bits.</t> <t>+ Units: thebits</dd> <dt>+ Units:</dt><dd>The unit is2^(-32)2<sup>(-32)</sup> seconds, which is roughly equal to 233picoseconds.</t> </list></t> <t>Epoch:<list style="empty"> <t>Thepicoseconds.</dd> </dl> </dd> </dl> <dl newline="true"> <dt>Epoch:</dt> <dd>The epoch is 1970-01-01T00:00 in UTC time. Note that this epoch value is different from the one used inSection 6 of<xreftarget="RFC5905"></xref>target="RFC5905" section="6" sectionFormat="of"/> (which will wrap around in2036).</t> </list></t> <t>Leap seconds:<list style="empty"> <t>This2036).</dd> <dt>Leap seconds:</dt> <dd>This timestamp format is affected by leap seconds. The timestamp represents the number of seconds elapsed since the epoch minus the number of leapseconds.</t> </list></t> <t>Resolution:<list style="empty"> <t>Theseconds.</dd> <dt>Resolution:</dt> <dd>The resolution is2^(-32) seconds.</t> </list></t> <t>Wraparound:<list style="empty"> <t>This2<sup>(-32)</sup> seconds.</dd> <dt>Wraparound:</dt> <dd>This time format wraps around every2^322<sup>32</sup> seconds, which is roughly 136 years. The next wraparound will occur in the year2106.</t> </list>Synchronization aspects:<list style="empty"> <t>It2106.</dd> <dt>Synchronization aspects:</dt> <dd>It is assumed that SFC data plane elements are synchronized to UTC using a synchronization mechanism that is outside the scope of this document. In typical deployments, SFC data plane elements use NTP <xreftarget="RFC5905"></xref>target="RFC5905" format="default"/> for synchronization. Thus, the timestamp may be derived from the NTP-synchronized clock, allowing the timestamp to be measured with respect to the clock of an NTP server. Since this time format is specified in terms of UTC, it is affected by leap seconds (in a manner analogous to the NTP time format, which is similar). Therefore, the value of a timestamp during or slightly after a leap second may be temporarilyinaccurate.</t> </list></t>inaccurate.</dd> </dl> </section> <section anchor="prorules"title="Processing Rules">numbered="true" toc="default"> <name>Processing Rules</name> <t>The following subsections describe the processing rules forintegrity protectedintegrity-protected NSHand optionallyand, optionally, encrypted Context Headers.</t> <section anchor="gen"title="Generic Behavior">numbered="true" toc="default"> <name>Generic Behavior</name> <t>This document adheres to the recommendations inSection 8.1 of<xreftarget="RFC8300"></xref>target="RFC8300" section="8.1" sectionFormat="of"/> for handling the Context Headers at both ingress and egress SFC boundary nodes (i.e., to strip the entire NSH, including Context Headers).</t> <t>Failures of aclassifierClassifier to inject the Context Headers defined in this documentSHOULD<bcp14>SHOULD</bcp14> be logged locally while a notification alarmMAY<bcp14>MAY</bcp14> be sent to an SFC control element. Failures of an NSH-aware node to validate the integrity of the NSH dataMUST<bcp14>MUST</bcp14> cause that packet to be discarded while a notification alarmMAY<bcp14>MAY</bcp14> be sent to an SFC control element. The details of sending notification alarms (i.e., the parameters that affect the transmission of the notification alarms depending on the information in thecontext headerContext Header such as frequency, thresholds, and content in the alarm)SHOULD<bcp14>SHOULD</bcp14> be configurable.</t> <t>NSH-aware SFs and SFC proxiesMAY<bcp14>MAY</bcp14> be instructed to strip some encrypted Context Headers from the packet or to pass the data to the next SF in the service function chain after processing the content of the Context Headers. If no instruction is provided, the default behavior for intermediary NSH-aware nodes is to maintain such Context Headers so that the information can be passed to the next NSH-aware hops. NSH-aware SFs and SFC proxiesMUST re-apply<bcp14>MUST</bcp14> reapply the integrity protection if any modification is made to the Context Headers (e.g., strip a Context Header, update the content of an existing Context Header, insert a new Context Header).</t> <t>An NSH-aware SF or SFC Proxy that is not allowed to decrypt any Context HeadersMUST NOT<bcp14>MUST NOT</bcp14> be given access to the ENC_KEY.</t> <t>Otherwise, an NSH-aware SF or SFC Proxy that receives encrypted Context Headers, for which it is not allowed to consume a specific Context Header it decrypts (but consumes others),MUST<bcp14>MUST</bcp14> keep that Context Header unaltered when forwarding the packet upstream.</t> <t>Only one instance of a "MAC and Encrypted Metadata" Context Header (<xreftarget="new"></xref>)target="new" format="default"/>) is allowed in an NSH level. If multiple instances of a "MAC and Encrypted Metadata" Context Header are included in an NSH level, the SFC data plane elementMUST<bcp14>MUST</bcp14> process the first instance and ignore subsequentinstances,instances andMAY<bcp14>MAY</bcp14> log or increase a counter for this event as perSection 2.5.1 of<xreftarget="RFC8300"></xref>.target="RFC8300" section="2.5.1" sectionFormat="of"/>. IfNSH-in-NSHNSH within NSH is used (<xreftarget="nsh-in-nsh"></xref>),target="nsh-in-nsh" format="default"/>), distinct LoAs may be used for each NSH level.</t> <t>MTU and fragmentation considerations are discussed in <xreftarget="MTU"></xref>.</t>target="MTU" format="default"/>.</t> </section> <sectiontitle="MACnumbered="true" toc="default"> <name>MAC NSH DataGeneration">Generation</name> <t>After performing any Context Header encryption, the HMAC algorithm discussed in <xreftarget="RFC4868"></xref>target="RFC4868" format="default"/> is used to integrity protect the target NSH data. An NSH imposer inserts a "MAC and Encrypted Metadata" Context Header for integrity protection (<xreftarget="new"></xref>).</t>target="new" format="default"/>).</t> <t>The NSH imposer sets the MAC field to zero and then computes the message integrity for the target NSH data (depending on theintegrity protectionintegrity-protection scope discussed in <xreftarget="new"></xref>)target="new" format="default"/>) using the MAC_KEY and HMAC algorithm. It inserts the computed digest in the MAC field of the "MAC and Encrypted Metadata" Context Header. The length of the MAC is decided by the HMAC algorithm adopted for the particular key identifier.</t> <t>The Message Authentication Code (T) computation process for the target NSH data with HMAC-SHA-256-128() can be illustrated as follows:</t><figure> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ T = HMAC-SHA-256-128(MAC_KEY, target NSH data) ]]></artwork></figure> <t></t><t>An entity in the SFP that updates the NSHMUST<bcp14>MUST</bcp14> follow the above behavior to maintain message integrity of the NSH for subsequent validations.</t> </section> <sectiontitle="Encryptednumbered="true" toc="default"> <name>Encrypted NSH MetadataGeneration">Generation</name> <t>An NSH imposer can encrypt Context Headers carrying sensitive metadata, i.e., encrypted and unencrypted metadata may be carried simultaneously in the same NSH packet (Sections <xref format="counter"target="scope1"></xref>target="scope1"/> and <xref format="counter"target="scope2"></xref>).</t>target="scope2"/>).</t> <t>In order to prevent pervasive monitoring <xreftarget="RFC7258"></xref>,target="RFC7258" format="default"/>, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> to encrypt all Context Headers. All Context Headers carrying privacy-sensitive metadataMUST<bcp14>MUST</bcp14> be encrypted; by doing so, privacy-sensitive metadata is not revealed to attackers.Privacy specificPrivacy-specific threats are discussed inSection 5.2 of<xreftarget="RFC6973"></xref>.</t>target="RFC6973" section="5.2" sectionFormat="of"/>.</t> <t>Using the secret key (ENC_KEY) and authenticated encryption algorithm, the NSH imposer encrypts the Context Headers (as set, for example, in <xreftarget="req"></xref>)target="req" format="default"/>) and inserts the resulting payload in the "MAC and Encrypted Metadata" Context Header (<xreftarget="new"></xref>).target="new" format="default"/>). The additional authenticated data input to the AEAD function is a zero-length byte string. The entire Context Header carryingasensitive metadata is encrypted (that is, including the MD Class, Type, Length, and associated metadata of each Context Header).</t> <t>More details about the exact encryption procedure are provided inSection 2.1 of<xreftarget="RFC5116"></xref>.target="RFC5116" section="2.1" sectionFormat="of"/>. In this case, the associated data (A) input iszero-lengthzero length forAES-GCM.</t>AES Galois/Counter Mode (AES-GCM).</t> <t>An authorized entity in the SFP that updates the content of an encrypted Context Header or needs to add a new encrypted Context HeaderMUST<bcp14>MUST</bcp14> also follow the aforementioned behavior.</t> </section> <section anchor="time"title="Timestampnumbered="true" toc="default"> <name>Timestamp for Replay AttackPrevention">Prevention</name> <t>The Timestamp imposed by an initial Classifier is left untouched along an SFP. However, it can be updated when reclassification occurs(Section 4.8 of <xref target="RFC7665"></xref>).(<xref target="RFC7665" section="4.8" sectionFormat="of"/>). The same considerations for setting the Timestamp are followed in both initial classification and reclassification (<xreftarget="timef"></xref>).</t>target="timef" format="default"/>).</t> <t>The received NSH is accepted by an NSH-aware node if the Timestamp (TS) in the NSH is recent enough to the reception time of the NSH (TSrt). The following formula is used for this check:</t><t><figure> <artwork><![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ -Delta < (TSrt - TS) < +Delta ]]></artwork></figure></t><t>The Delta interval is a configurable parameter. The default value for the allowed Delta is 2 seconds. Special care should be taken when setting very low Delta values as this may lead to dropping legitimate traffic. If the timestamp is not within the boundaries, then the SFC data plane element receiving suchpacket MUSTpackets <bcp14>MUST</bcp14> discard the NSH message.</t> <t>Replay attacks within the Delta window may be detected by an NSH-aware node by recording a unique value derived from the packet,for example,such as a unique value from the MAC field value. Such an NSH-aware node will detect and reject duplicates. If for legitimate servicereasons,reasons some flows have to be duplicated but still share a portion of an SFP with the original flow, legitimate duplicate packets will be tagged by NSH-aware nodes involved in that segment as replay packets unless sufficient entropy is added to the duplicate packet. How such an entropy is added isimplementation-specific.</t> <t><list style="empty"> <t>Note:implementation specific.</t> <t indent="3"> Note: Within the timestampdeltaDelta window, defining a sequence number to protect against replay attacks may be considered. In such a mode, NSH-aware nodes must discard packets with duplicate sequence numbers within the timestampdeltaDelta window. However, in deployments with several instances of the same SF (e.g., cluster or load-balanced SFs), a mechanism to coordinate among those instances to discard duplicate sequence numbers is required. Because the coordination mechanism to comply with this requirement isservice-specific,service specific, this document does not include thisprotection.</t> </list></t>protection. </t> <t>All SFC data plane elements must be synchronized among themselves. These elements may be synchronized to a global reference time.</t> </section> <sectiontitle="NSHnumbered="true" toc="default"> <name>NSH DataValidation">Validation</name> <t>When an SFC data plane element that conforms to this specification needs to check the validity of the NSH data, itMUST<bcp14>MUST</bcp14> ensure that a "MAC and Encrypted Metadata" Context Header is included in a received NSH packet. The imposerMUST<bcp14>MUST</bcp14> silently discard the packet andMUST<bcp14>MUST</bcp14> log an error at least once per the SPI if at least one of the following isobserved:<list style="symbols"> <t>theobserved:</t> <ul spacing="normal"> <li>the "MAC and Encrypted Metadata" Context Header ismissing,</t> <t>themissing,</li> <li>the enclosed key identifier is unknown or invalid (e.g., the corresponding keyexpired),</t> <t>theexpired), or</li> <li>the timestamp is invalid (<xreftarget="time"></xref>).</t> </list></t>target="time" format="default"/>).</li> </ul> <t>If the timestamp check is successfully passed, the SFC data plane element proceeds with NSH data integrity validation. After storing the value of the MAC field in the "MAC and Encrypted Metadata" Context Header, the SFC data plane element fills the MAC field with zeros. Then, the SFC data plane element generates the message integrity for the target NSH data (depending on theintegrity protectionintegrity-protection scope discussed in <xreftarget="new"></xref>)target="new" format="default"/>) using the MAC_KEY and HMAC algorithm. If the value of the newly generated digest is identical to the stored one, the SFC data plane element is certain that the NSH data has not been tampered with and validation is therefore successful. Otherwise, the NSH packetMUST<bcp14>MUST</bcp14> be discarded. The comparison of the computed HMAC value to the stored valueMUST<bcp14>MUST</bcp14> be done in a constant-time manner to thwart timing attacks.</t> </section> <sectiontitle="Decryptionnumbered="true" toc="default"> <name>Decryption of NSHMetadata">Metadata</name> <t>If entitled to consume a supplied encrypted Context Header, an NSH-aware SF or SFC Proxy decrypts metadata using (K) and a decryption algorithm for the key identifier in the NSH.</t><t>Authenticated<t>The authenticated encryption algorithm has only a single output, either a plaintext or a special symbol (FAIL) that indicates that the inputs are not authentic(Section 2.2 of [RFC5116]).</t>(<xref target="RFC5116" section="2.2" sectionFormat="of"/>).</t> </section> </section> <section anchor="MTU"title="MTU Considerations">numbered="true" toc="default"> <name>MTU Considerations</name> <t>The SFC architecture prescribes that additional information be added to packets to:<list style="symbols"> <t>Identify</t> <ul spacing="normal"> <li>Identify SFPs: this is typically the NSH Base Header and Service PathHeader.</t> <t>CarryHeader.</li> <li>Carry metadata such asthosethat defined in <xref format="default"target="new"></xref>.</t> <t>Steertarget="new"/>.</li> <li>Steer the traffic along the SFPs: This is realized by means of transportencapsulation.</t> </list></t>encapsulation.</li> </ul> <t>This added information increases the size of the packet to be carried along an SFP.</t> <t>Aligned withSection 5 of<xreftarget="RFC8300"></xref>,target="RFC8300" section="5" sectionFormat="of"/>, it isRECOMMENDED for<bcp14>RECOMMENDED</bcp14> that network operatorstoincrease the underlying MTU so that NSH traffic is forwarded within an SFC-enabled domain without fragmentation. The available underlying MTU should be taken into account by network operators when providing SFs with the required Context Headers to be injected per SFP and the size of the data to be carried in these Context Headers.</t> <t>If the underlying MTU cannot be increased to accommodate the NSH overhead, network operators may rely upon a transport encapsulation protocol with the required fragmentation handling. The impact of activating suchfeaturefeatures on SFFs should be carefully assessed by network operators(Section 5.6 of <xref target="RFC7665"></xref>).</t>(<xref target="RFC7665" section="5.6" sectionFormat="of"/>).</t> <t>When dealing with MTU issues, network operators should consider the limitations of various tunnel mechanisms such as those discussed in <xreftarget="I-D.ietf-intarea-tunnels"></xref>.</t>target="I-D.ietf-intarea-tunnels" format="default"/>.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>Data plane SFC-related security considerations, including privacy, are discussed inSection 6 of<xreftarget="RFC7665"></xref>target="RFC7665" section="6" sectionFormat="of"/> andSection 8 of<xreftarget="RFC8300"></xref>.target="RFC8300" section="8" sectionFormat="of"/>. In particular,Section 8.2.2 of<xreftarget="RFC8300"></xref>target="RFC8300" section="8.2.2" sectionFormat="of"/> states that attached metadata (i.e., Context Headers) should be limited to that which is necessary for correct operation of the SFP. Also, that section indicates that <xreftarget="RFC8165"></xref>target="RFC8165" format="default"/> discusses metadata considerations that operators can take into account when using NSH.</t> <t>The guidelines for cryptographic key management are discussed in <xreftarget="RFC4107"></xref>.target="RFC4107" format="default"/>. The group key managementprotocol relatedprotocol-related security considerations discussed inSection 8 of<xreftarget="RFC4046"></xref> needstarget="RFC4046" section="8" sectionFormat="of"/> need to be taken into consideration.</t> <t>The interaction between the SFC data plane elements and a key management systemMUST NOT<bcp14>MUST NOT</bcp14> be transmittedin clearunencrypted since this would completely destroy the security benefits of theintegrity protectionintegrity-protection solution defined in this document.</t> <t>The secret key (K) must have an expiration time assigned as the latest point in time before which the key may be used for integrity protection of NSH data and encryption of Context Headers. Prior to the expiration of the secret key, all participating NSH-aware nodesSHOULD<bcp14>SHOULD</bcp14> have the control plane distribute a new key identifier and associated keying material so that when the secret key is expired, those nodes are prepared with the new secret key. This allows the NSH imposer to switch to the new key identifier as soon as necessary. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that the next key identifier and associated keying material be distributed by the control plane well prior to the secret key expiration time. Additional guidance for users of AEAD functions about rekeying can be found in <xreftarget="I-D.irtf-cfrg-aead-limits"></xref>.</t>target="I-D.irtf-cfrg-aead-limits" format="default"/>.</t> <t>The security and integrity of the key-distribution mechanism is vital to the security of the SFC system as a whole.</t> <t>NSH dataareis exposed to several threats:</t><t><list style="symbols"> <t>A<ul spacing="normal"> <li>An on-path attacker modifying the NSHdata.</t> <t>Attackerdata.</li> <li>An attacker spoofing the NSHdata.</t> <t>Attackerdata.</li> <li>An attacker capturing and replaying the NSHdata.</t> <t>Datadata.</li> <li>Data carried in Context Headers revealing privacy-sensitive information toattackers.</t> <t>Attackerattackers.</li> <li>An attacker replacing the packet on which the NSH is imposed with a modified or boguspacket.</t> </list></t>packet.</li> </ul> <t>In an SFC-enabled domain where the above attacks are possible, (1) NSH dataMUST<bcp14>MUST</bcp14> beintegrity-protectedintegrity protected andreplay-protected,replay protected, and (2) privacy-sensitive NSH metadataMUST<bcp14>MUST</bcp14> be encrypted for confidentiality preservation purposes. The Base and Service PathheadersHeaders are not encrypted.</t> <t>MACs with two levels of assurance are defined in <xreftarget="new"></xref>.target="new" format="default"/>. Considerations specific to each level of assurance are discussed in Sections <xref format="counter"target="mac1"></xref>target="mac1"/> and <xref format="counter"target="mac2"></xref>.</t>target="mac2"/>.</t> <t>The attacks discussed in <xreftarget="I-D.nguyen-sfc-security-architecture"></xref>target="I-D.nguyen-sfc-security-architecture" format="default"/> are handledowing tobased on the solution specified in this document,except forwith the exception of attacks dropping packets. Such attacks can be detected by relying upon statistical analysis; such analysis is out of the scope of this document. Also, if SFFs are not involved in the integrity checks, a misbehaving SFFwhichthat decrements SI while this should be done by an SF (SF bypass attack) will be detected by an upstream SF because the integrity check will fail.</t> <t>Some events are logged locally with notification alerts sent by NSH-aware nodes to a Control Element. These eventsSHOULD<bcp14>SHOULD</bcp14> berate-limited.</t>rate limited.</t> <t>The solution specified in this document does not provide data origin authentication.</t> <t>In order to detect compromised nodes, it is assumed that appropriate mechanisms to monitor and audit an SFC-enabled domain to detect misbehavior and to deter misuse are in place. Compromised nodes can thus be withdrawn from active service function chains using appropriate control plane mechanisms.</t> <section anchor="mac1"title="MAC#1">numbered="true" toc="default"> <name>MAC#1</name> <t>An active attacker can potentially modify the BaseheaderHeader (e.g., decrement the TTL so the next SFF in the SFP discards the NSH packet). An active attacker can typically also drop NSH packets. As such, this attack is not considered an attack against the security mechanism specified in the document.</t> <t>It is expected that specific devices in the SFC-enabled domain will be configured such that no device other than theclassifiersClassifiers (when reclassification is enabled), NSH-aware SFs, and SFC proxies will be able to update theintegrity protectedintegrity-protected NSH data (<xreftarget="gen"></xref>),target="gen" format="default"/>), andalso such thatno device other than the NSH-aware SFs and SFC proxies will be able to decrypt and update the Context Headers carrying sensitive metadata (<xreftarget="gen"></xref>).target="gen" format="default"/>). In other words,ifit is expected that the NSH-aware SFs and SFC proxies in the SFC-enabled domain are considered fully trusted to act on the NSH data. Only these elements can have access to sensitive NSH metadata and the keying material used to integrity protect NSH data and encrypt Context Headers.</t> </section> <section anchor="mac2"title="MAC#2">numbered="true" toc="default"> <name>MAC#2</name> <t>SFFs can detect whether an illegitimate node has altered the content of the Baseheader.Header. Such messages must be discarded with appropriate logs and alarms generated (see <xreftarget="gen"></xref>).</t>target="gen" format="default"/>).</t> <t>Similar to <xreftarget="mac1"></xref>,target="mac1" format="default"/>, no device other than the NSH-aware SFs and SFC proxies in the SFC-enabled domain should be able to decrypt and update the Context Headers carrying sensitive metadata.</t> </section> <sectiontitle="Time Synchronization">numbered="true" toc="default"> <name>Time Synchronization</name> <t><xreftarget="RFC8633"></xref>target="RFC8633" format="default"/> describes best current practices to be considered in deployments where SFC data plane elements use NTP fortime synchronizationtime-synchronization purposes.</t> <t>Also, a mechanism to provide cryptographic security for NTP is specified in <xreftarget="RFC8915"></xref>.</t>target="RFC8915" format="default"/>.</t> </section> </section> <section anchor="IANA"title="IANA Considerations"> <t>This document requests IANA to assignnumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has added the following typesfromto the "NSH IETF-Assigned Optional Variable-Length Metadata Types" registry (0x0000 IETF Base NSH MD Class)registry available at: https://www.iana.org/assignments/nsh/nsh.xhtml#optional-variable-length-metadata-types.</t> <t><figure> <artwork align="center"><![CDATA[+-------+-------------------------------+----------------+ | Value | Description | Reference | +=======+===============================+================+ | TBD1 | MACat <eref brackets="angle" target="https://www.iana.org/assignments/nsh"/>. </t> <table> <name>Additions to the NSH IETF-Assigned Optional Variable-Length Metadata Types Registry</name> <thead> <tr> <th>Value</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>0x02</td> <td>MAC and Encrypted Metadata#1 | [ThisDocument] | | TBD2 | MAC#1</td> <td>RFC 9145</td> </tr> <tr> <td>0x03</td> <td>MAC and Encrypted Metadata#2 | [ThisDocument] | +-------+-------------------------------+----------------+]]></artwork> </figure></t>#2</td> <td>RFC 9145</td> </tr> </tbody> </table> </section> </middle> <back> <displayreference target="I-D.ietf-intarea-tunnels" to="INTERNET-IP-TUNNELS"/> <displayreference target="I-D.arkko-farrell-arch-model-t" to="INTERNET-THREAT-MODEL"/> <displayreference target="I-D.nguyen-sfc-security-architecture" to="ARCH-SFC-THREATS"/> <displayreference target="I-D.irtf-cfrg-aead-limits" to="AEAD-LIMITS"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8300.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7665.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4868.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4107.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <reference anchor="GCM"> <front> <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> <author initials="M." surname="Dworkin"> <organization/> </author> <date month="November" year="2007"/> </front> <seriesInfo name="NIST" value="Special Publication 800-38D"/> <seriesInfo name="DOI" value="10.6028/NIST.SP.800-38D"/> </reference> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8459.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8877.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7498.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5905.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6973.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8165.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-intarea-tunnels.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-arkko-farrell-arch-model-t.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-nguyen-sfc-security-architecture.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-irtf-cfrg-aead-limits.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7635.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8915.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8633.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4046.xml"/> </references> </references> <sectiontitle="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>This document waseditedcreated as a follow-up to the discussion inIETF#104: https://datatracker.ietf.org/meeting/104/materials/slides-104-sfc-sfc-chair-slides-01IETF 104: <eref brackets="angle" target="https://datatracker.ietf.org/meeting/104/materials/slides-104-sfc-sfc-chair-slides-01"/> (slide 7).</t> <t>Thanks toJoel Halpern, Christian Jacquenet, Dirk<contact fullname="Joel Halpern"/>, <contact fullname="Christian Jacquenet"/>, <contact fullname="Dirk vonHugo, Tal Mizrahi, Daniel Migault, Diego Lopez, Greg Mirsky, and Dhruv DhodyHugo"/>, <contact fullname="Tal Mizrahi"/>, <contact fullname="Daniel Migault"/>, <contact fullname="Diego Lopez"/>, <contact fullname="Greg Mirsky"/>, and <contact fullname="Dhruv Dhody"/> for the comments.</t> <t>Many thanks toSteve Hanna<contact fullname="Steve Hanna"/> for the valuable secdir review andJürgen Schönwälder<contact fullname="Juergen Schoenwaelder"/> for the opsdir review.</t> <t>Thanks toGreg Mirsky<contact fullname="Greg Mirsky"/> for theShepherd review.</t><contact fullname="Shepherd review"/>.</t> <t>Thanks toAlvaro Retana, Lars Eggert, Martin Duke, Erik Kline, Zaheduzzaman Sarker, Éric Vyncke, Roman Danyliw, Murray Kucherawy, John Scudder, and Benjamin Kaduk<contact fullname="Alvaro Retana"/>, <contact fullname="Lars Eggert"/>, <contact fullname="Martin Duke"/>, <contact fullname="Erik Kline"/>, <contact fullname="Zaheduzzaman Sarker"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Murray Kucherawy"/>, <contact fullname="John Scudder"/>, and <contact fullname="Benjamin Kaduk"/> for the IESG review.</t> </section></middle> <!-- *****BACK MATTER ***** --> <back> <references title="Normative References"> <?rfc include="reference.RFC.8300"?> <?rfc include='reference.RFC.7665'?> <?rfc include='reference.RFC.2119'?> <?rfc include='reference.RFC.8174'?> <?rfc include='reference.RFC.4868'?> <?rfc include='reference.RFC.5116'?> <?rfc include='reference.RFC.4107'?> <?rfc include='reference.RFC.2104'?> <reference anchor="GCM"> <front> <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title> <author initials="M." surname="Dworkin"> <organization></organization> </author> <date month="November" year="2007" /> </front> <seriesInfo name="NIST" value="Special Publication 800-38D" /> </reference> </references> <references title="Informative References"> <?rfc include="reference.RFC.8459"?> <?rfc include='reference.RFC.8877'?> <?rfc include='reference.RFC.7498'?> <?rfc include='reference.RFC.5905'?> <?rfc include="reference.RFC.7258"?> <?rfc include="reference.RFC.6973"?> <?rfc include='reference.RFC.8165'?> <?rfc include='reference.I-D.ietf-intarea-tunnels'?> <?rfc include='reference.I-D.arkko-farrell-arch-model-t'?> <?rfc include='reference.I-D.nguyen-sfc-security-architecture'?> <?rfc include='reference.I-D.irtf-cfrg-aead-limits'?> <?rfc include='reference.RFC.7635'?> <?rfc include='reference.RFC.8915'?> <?rfc include='reference.RFC.8633'?> <?rfc include='reference.RFC.4046'?> <!----> </references></back> </rfc>